Yuya Itagaki1 Atsushi Terayama1 Koji Nakaya1 Junichiro Katsu1
We have developed two types of temperature input module as the I/O function of the ProSafe-RS safety instrumented system. These modules conform to the safety integrity level (SIL) 3, which is defined in the IEC61508 international functional safety standard, and achieve fast response and high reliability. This paper introduces their functions in the safety system and describes how the functions are achieved.
- Field I/F Development & Engineering Dept., Industrial Automation Systems Business Headquarters
INTRODUCTION
|  | 
| Figure 1 External view of the temperature input module | 
Yokogawa's ProSafe-RS safety instrumented system is used for many applications1 as a system conforming to the safety integrity level (SIL) 3 defined in the IEC61508 international functional safety standard2.
To deal with temperature inputs, systems were conventionally configured using signal conditioners. However, securing enough space for signal conditioners was often difficult in such system configurations. Especially when SIL 3 is required, the problem is serious because a redundant configuration is required. Figure 1 shows an external view of the newly developed temperature input modules conforming to SIL 3: SAT145 for the thermocouple and SAR145 for the resistance temperature detector.
Using a new temperature input module eliminates the need for a signal conditioner as shown in Figure 2. Combined with the compact terminal board that was concurrently developed, the modules solve the problem of installation space.
These newly developed modules are based on the basic specifications and highly reliable technologies of the existing AAT145 and AAR145 temperature input modules for the CENTUM VP integrated production control system. Employing more advanced self-diagnosis, they have achieved conformity to SIL 3, which safety systems are required to meet. The modules have also satisfied the requirements for high-speed input response and fault detection, both of which safety system applications are required to meet. They also have achieved high availability and maintainability to increase plant productivity.
This paper explains the high safety integrity level, high-speed response, high availability, and increased maintainability required for a safety module, which are all achieved in the new modules.
BASIC SPECIFICATIONS OF SAT145/SAR145 TEMPERATURE INPUT MODULES
|  | 
| Figure 2 Example of system configuration with SAT145 | 
The basic specifications of the newly developed SAT145/ SAR145 temperature input modules are equal to or higher than those of the AAT145 and AAR145 temperature input modules for our CENTUM VP system. Table 1 shows the basic specifications of the new modules.
While there are as many as 16 input points, individual channels are isolated and the data update period is as high as 150 ms.
The burnout (breaking of a wire) detection time is reduced to 1.5 seconds, over ten times faster than the CENTUM VP I/O modules.
 
Table 1 Basic specifications of temperature input modules
| Specification | Model | |
|---|---|---|
| SAT145 | SAR145 | |
| Function | TC/mV input | RTD input | 
| Number of input channels | 16-channel | 16-channel | 
| Input signal | TC input: J, K, E, T, S, R, N, B mV input: - 100 to 150 mV | RTD input: Pt100, Pt50, Pt200, Pt500, Pt1000 Ni100, Ni120 | 
| Accuracy | TC: ± 40 µV mV: ± 40 µV | 800 Ω range: ± 180 mΩ 4000 Ω range: ± 1700 mΩ | 
| Isolation type | Isolated channels | Isolated channels | 
| Data update period | 150 ms | 150 ms | 
| Burnout detection time | 1.5 sec | 1.5 sec | 
SAFETY DESIGN ARCHITECTURE
1) Requirements for meeting SIL 3
|  | 
| Figure 3 Configuration of entire module | 
When designing a ProSafe-RS system, the design target to configure a SIL 3-compliant safety loop is keeping the Probability of Failure on Demand (PFD) for the entire safety loop less than 1.5 × 10-4, or 15% of the required rate for SIL 3 (10-3 to 10-4). To achieve this, assuming that the proof test (validation test during a periodic inspection) is conducted every 10 years, the total undetected dangerous failure rate (λDU) of all the components constituting the safety loop should not exceed 3.4 fit (failure rate of once in 340,000 years). That means the failure rate of a single I/O module has to be extremely small.
The IEC61508 also stipulates that the Safe Failure Fraction (SFF: (Total failure rate - λDU) / total failure rate × 100%) required for SIL 3 shall be 99% or higher. In other words, the undetected dangerous failure rate has to be below 1% using every possible self-diagnosis.
2) Safety design
|  | 
| Figure 4 Channel configuration of SAT145 | 
A high fault detection rate has been achieved by inheriting the method proven in the existing I/O modules for the ProSafe-RS, which compares calculation results using two microprocessors.
In addition, the new modules have achieved high fault- detection capability by appropriately implementing diagnosis functions in each channel: the activation diagnostics, i.e., intentional change in the operating condition of the input circuit, and the comparison among multiple input circuits. Both are effective for detecting failures.
3) Safety verification
We have confirmed the conformity to SIL 3 by the Failure Modes Effects and Diagnostic Analysis (FMEDA). The validity of the analysis was proved by tests on actual equipment, such as fault insertion testing.
MODULE CONFIGURATION AND DIAGNOSIS
Module configuration
|  | 
| Figure 5 Channel configuration of SAR145 | 
Figure 3 shows the configuration of the entire temperature input module. The system side is isolated from the channel side and individual channels are isolated. Both microprocessors read the input of each channel and convert it to temperature data. The converted results of the microprocessors are compared to verify the validity of input data and integrity of the microprocessors.
Figure 4 shows the detailed configuration of a channel of the SAT145 and Figure 5 shows that of the SAR145. Each channel is provided with its own input circuit and A/D converter.
Diagnosis of input channel
Each module has a diagnosis function appropriate for its channel circuit configuration to maximize the fault detection capability. The input circuit receives a signal from a sensor. It is an analog circuit comprising analog filters, op-amps and others.
- SAT145
 The SAT145 reads a voltage generated in a thermocouple (TC) and converts it to a temperature. As shown in Figure 4, two input circuits are provided for a channel. Data read from these two input circuits are compared to detect a failure in the input circuits.
- SA R145 
 The SAR145 supplies a current to a resistance temperature detector (RTD), reads the produced voltage and converts it to a temperature. As shown in Figure 5, a channel consists of an input circuit and a current source. The current supplied to the resistance temperature detector is changed intentionally, thereby activating the input circuit, to detect a failure in the circuit.
ACHIEVEMENT OF HIGH SPEED RESPONSE
As described above, each channel is provided with its own A/D converter so that all the channels can perform A/D conversion simultaneously, reducing the cycle time of data acquisition and accelerating the input response.
Quick self-diagnosis was implemented to achieve a fault reaction time within three seconds, which is specified in the EN298 (a standard for burner management) and required for a safety instrumented system.
Although the time for most of the self-diagnosis has been successfully reduced by reducing the data acquisition cycle time like that for data input, the time for burnout detection to detect breaking of a wire cannot be reduced by this method alone. We have solved this by the following method.
When a wire in a sensor or field wiring breaks, the PV is intentionally shifted in the predefined upward or downward directions. The host system detects breaking of a wire based on the PV value.
Even when a wire breaks, the input voltage to the I/O module is usually kept unchanged for a while due to stray capacitance among the field wirings or in the I/O module circuits, thus breaking of a wire cannot be detected immediately. To quickly detect burnout, the current for burnout detection is supplied to shift the input voltage intentionally. However, in the CENTUM VP system, it has taken a long time to detect breaking of a wire because of the specific circuit configuration of the temperature input module.
To reduce the time taken to detect breaking of a wire, the following methods are introduced in these new modules.
- SAT145 
 For the SAT145, we have increased the burnout detection current to reduce the transition time, thereby reducing the detection time.
 The burnout detection current is supplied at a timing when it will not affect the A/D conversion of the input voltage, and this will not affect the PV accuracy.
- SA R145 
 The SAR145 is provided with two current sources for the resistance temperature detector, thus eliminating the effect of stray capacitance and enabling faster detection.
 The alternate use of the two current sources helps compensate the effect of a relative error of the current sources and minimize the effect on the accuracy.
HIGH AVAILABILITY AND GOOD MAINTAINABILITY
A safety system is required to have high availability and good maintainability as a whole system as well as to meet the safety integrity level and achieve a high-speed response. Therefore, the system must have high noise-resistance capability, and in case of a failure, the causes must be easily identified.
High availability
To improve noise-resistance capability, we have taken both hardware and firmware measures. An appropriate A/D conversion sampling rate is applied to suppress noise especially for data susceptible to the field environment among all acquired data. Transient noise that cannot be suppressed by this measure is reduced by a filter.
A failure in the system or abnormality in the field wiring can be notified while the PV value immediately before the trouble is held. Thus, it is possible to optimize the system behavior in the case of trouble for every application. Especially in a redundant configuration, the PV value can be bumplessly switched in the case of failure, which enables seamless system control operation.
With these measures, we have achieved high availability.
Good maintainability
Prompt and adequate maintenance is required to respond to a failure. Therefore, the system must be able to accurately identify the fault point.
Especially, it is important to distinguish failures caused by external factors such as breaking of a wire in the field wiring, and those caused by internal factors such as a failure of a component in a module. To achieve this, we have added a diagnostic circuit and strengthened the function to identify the causes of failures by acquiring more diagnostic information. Thus, we have enhanced the maintainability.
FEATURES OF COMPACT TERMINAL BOARDS FOR INPUT MODULES
|  | 
| Figure 6 External view of compact terminal board | 
This section introduces the features of the SBT4D and SBR4D compact terminal boards developed for the TC and RTD input modules.
Figure 6 shows an external view of the compact terminal board and Table 2 shows the basic specifications.
In order to utilize the limited mounting space, the terminal board is required not only to increase the number of points per unit area but also to freely arrange each module.
The newly developed compact terminal boards save space. A terminal board with the width of 4.3 inches is connected to one I/O module.
These compact terminal boards can be mounted either vertically or horizontally. They can also be mounted on universal DIN rails, flexibly meeting various market needs.
Tables 3 and 4 show the maximum number of input points accommodated in the 19-inch wide space. Compared with those of the AET4D and AER4D terminal boards for temperature input for the CENTUM VP, their mounting efficiency per width of 19 inches is improved by two times for the SBT4D and four times for the SBR4D.
Table 2 Basic specifications of compact terminal boards
| Specification | Model | |
|---|---|---|
| SBT4D | SBR4D | |
| Function | TC/mV input with reference junction compensation | RTD input | 
| Number of connection points | 16-channel | 16-channel | 
| Size | 4.3-inch wide (110 × 90 × 35 mm) | 4.3-inch wide (110 × 90 × 35 mm) | 
Table 3 Number of connection points of TC/mV input
| Specification | Model | |
|---|---|---|
| SBT4D | AET4D | |
| Number of connection modules | 1 module | 2 modules | 
| Number of input points per width of 19 inches | 64 channels (max. 4 units) | 32 channels (max. 1 unit) | 
Table 4 Number of connection points of RTD input
| Specification | Model | |
|---|---|---|
| SBR4D | AER4D | |
| Number of connection modules | 1 module | 2 modules | 
| Number of input points per width of 19 inches | 64 channels (max. 4 units) | 32 channels (max. 1 unit) | 
CONCLUSION
This paper has explained the basic specifications and features of the SIL 3-compliant temperature input modules for the ProSafe-RS.
While adding new I/O modules satisfying market needs to the lineup for the ProSafe-RS, we will continue to improve system usability for safety system applications and seek further evolution and advances in safety solutions.
REFERENCES
- Yasuhiko Yamashiro, et al., "Hardware Features of the ProSafe-RS," Yokogawa Technical Report English Edition, No. 40, 2005, pp. 47-50
- IEC 61508 ed2.0:2010, Functional Safety of Electrical/Electronic/ Programmable Electronic Safety-related Systems.
- ProSafe and CENTUM are registered trademarks of Yokogawa Electric Corporation. Other product names are trademarks or registered trademarks of respective companies.
Related Industries
- 
									전력1970년대 중반, Yokogawa는 EBS 전기 제어 시스템 (EBS Electric Control System)의 출시와 함께 전력 사업에 진출했습니다. 그 이후로 Yokogawa는 전 세계 고객에게 최상의 서비스와 솔루션을 제공하기 위한 기술과 역량의 개발을 꾸준히 지속해 왔습니다. Yokogawa는 역동적인 글로벌 전력 시장에서 더욱 적극적인 역할을 수행하기 위해 글로벌 전력 솔루션 네트워크를 운영했습니다. 이로 인해 Yokogawa 내에서 보다 긴밀한 팀워크가 가능해져서 글로벌 리소스와 업계 노하우를 하나로 모았습니다. Yokogawa의 전력 산업 전문가들은 각 고객에게 정교한 요구 사항에 가장 적합한 솔루션을 제공하기 위해 협력합니다. 
- 
									벌크화학석유 화학 제품, 무기물 또는 중간체를 생산하든 관계없이 화학 회사는 안전하고 호환되는 작업을 유지하면서 적시에 효율적인 방법으로 제품을 제공하는 비용과 마진 압박에 시달리고 있습니다. 또한 화학 회사들은 공급 원료 및 에너지 가격의 변동에 적응하고 가장 수익성 높은 제품 혼합을 시장에 제공해야 합니다. Yokogawa는 벌크 화학 시장의 자동화 요구 사항을 세계적으로 지원해 왔으며 이 시장에서 인정받는 선두 주자입니다. Yokogawa는 제품, 솔루션 및 업계 전문 기술을 통해 시장 및 생산 요구 사항을 이해하고 플랜트의 수명주기를 통해 안정적이고 비용 효율적인 솔루션을 제공하기 위해 협력합니다. 
Related Products & Solutions
- 
							Distributed Control System (DCS)10,000개가 넘는 플랜트의 운영자는 매년 생산 목표를 달성하기 위해 Yokogawa의 DCS 기술과 솔루션을 신뢰합니다.